I'm trying to force SSSD to only communicate encrypted, because of company rules.
I think i'm missing something:

SSSD configured with: id_provider = ad

and DNS service resolution is enabled (default)

I have tried about every combination of:

ldap_id_use_start_tls = true
ldap_service_port = 636
ldap_tls_reqcert = allow

in sssd.conf [domain] section.
However, I can see SSSD LDAP connection over port 389.

# netstat -tanp | grep sssd_be
tcp        0      0 172.16.5.202:53520      172.16.1.241:389        ESTABLISHED 18080/sssd_be

Have I just missed something?
Do I need to pull the certificates from AD to make it work. I'm not really interested in verifying the certificates but only ensuring an encrypted channel.